After evaluating several vendors, the client felt that MetricStream was the best fit for them not only because of MetricStream’s successful track record at leading financial services institutions, but also the scalability, flexibility, and integrated capabilities of MetricStream’s internal audit management solution.
Today, MetricStream Internal Audit Management Solution has streamlined and automated the internal audit lifecycle across the client’s global enterprise. The audit team now has the freedom to focus less on cumbersome data entry and reporting tasks, and more on critical audit analysis.
The solution facilitates performing risk assessment for each organizational branch, based on which the frequency of audits for that particular branch could be automatically calculated. This provides organizations with the flexibility to choose the right audit approach based on their risk assessment results.
The solution also offers them a centralized system to track the progress of audit activities and issue remediation processes at any point across the global enterprise.
Below, in greater detail, are the capabilities of the solution:
Through configurable risk algorithms, the solution automatically calculates the risk score of each branch entity based on various factors such as the impact of outstanding internal audit issues, impact of outstanding regulatory issues, and the management of operational losses. Using these risk scores, the solution helps define the audit frequency for that particular branch entity. For instance, if the entity’s risk score is low, an audit may only be required once in 2-3 years. This kind of assessment is conducted across all branch entities worldwide with MetricStream’s solution. This way, the audit team has been able to better prioritize global audit activities.
Audit Planning and Attestations
The solution enables audit planning and scheduling by grouping together branch entities that need to be audited along similar lines.
During this process, the solution generates an entity advisor report that provides a comprehensive profile of each auditable entity (including their risk assessment scores and business monitoring plan) which helps the internal audit team effectively plan / prioritize audits.
After an entity is selected for an audit, the solution routes this data for approvals and attestations. Automated alerts and notifications are sent out to the relevant authorities to ensure that this process is completed on time.
The team also has the flexibility to reschedule audits (deviate from the audit dates calculated during the risk assessment) - at a later or earlier date, or even cancel it.
The solution streamlines the creation and allocation of work-papers for various audit tasks. These work-papers are assigned to the relevant branch auditors along with due dates. Each work-paper related to a particular branch or country has a list of all associated controls. This way, auditors can easily determine which controls to test.
During the audit execution phase, the solution captures each auditor’s qualitative and quantitative findings along with detailed observations and recommendations. It also provides a unique offline audit briefcase capability to record data when there is no internet connectivity. Thus, auditors can enter their audit findings as usual on their systems, and later synchronize the data with the central audit database when the network can be accessed again.
Control Exceptions and Issue Management
The system provides comprehensive functionality for managing audit issues/ findings arising from the auditing processes. If auditors find that a control is inadequate or missing, they can log a control exception. Similar control exceptions are grouped into an issue. The solution routes these issue for approvals, investigations, and remediation. Users can create action plans to address and resolve each issue. They can also monitor the status of the issue as it moves from one stage to the next, and validate the effectiveness of the action plan. After the risk caused by the issue has been sufficiently mitigated, the issue is closed.
The solution automatically generates a range of audit reports that consolidate audit findings for easy & effective analysis. These reports come with drill-down capabilities that help in studying the audit findings from each branch at deeper level, and enable users to compare and contrast audit results by a variety of parameters.
The solution also provides complete, real-time visibility into the internal audit process across the global enterprise through powerful, graphical executive dashboards. Users can track the progress of each audit against pre-defined milestones to ensure timely execution.
Increasing regulatory reforms, including the Dodd-Frank Act, Basel II, SOX, Solvency II, and other local and global compliance mandates, have upped the pressure on internal audit teams to evaluate the effectiveness of risk and control processes across the enterprise in a timely manner.
At the client organization, this challenge is compounded by the sheer scope and scale of internal audits - there are multiple branch entities spread across various countries, and each has to be audited for different risks and compliance requirements. Since it is neither efficient nor cost-effective to audit every single entity each year, the internal audit team has to be able to prioritize and short-list auditable entities. Previously, there was no established way of doing so.
Moreover, the audit process was often a resource-intensive and time-consuming affair. Audit findings and other data were usually entered into various spreadsheets; from there, they had to be manually collated and consolidated into audit reports before they were analyzed and shared with stakeholders. This approach often led to duplication of effort and data, given the number of auditors and spreadsheets involved.
Faced with these challenges, the client began looking for a solution that could help them optimize the efficiency of their internal audits, and also better track the status of audits across the global enterprise at any given time.
The client chose MetricStream for the following reasons:
The MetricStream solutions are successfully used by some of the largest banks and financial services institutions to strengthen their internal audit program.
Leading analysts have cited MetricStream as a market-leader in governance, risk, and compliance solutions.
MetricStream solutions have the flexibility to be configured to the client’s unique needs, and mapped to their business hierarchy.
The solutions provide the scalability to be used across thousands of auditable entities scattered in different global locations.
The solutions enable an integrated, automated, and agile approach to internal audit management.
- A single system for multiple global audits
The solution is used by more than 300 auditors worldwide. It scales across organizational branches in various countries, providing an integrated system to plan, manage, and track audits. Each branch entity has the flexibility to independently conduct their own audits; at the same time, the solution rolls up audit findings and reports from across entities to be analyzed at the global level.
- Faster and efficient audit process
The solution has replaced spreadsheets and other manual audit tools with an automated and streamlined approach. Thus, auditors have been able to save time and costs, and minimize redundancies and errors.
- Sharper audit focus
The solution automatically calculates the risk scores of each branch entity, enabling auditors to quickly determine whether that entity needs to be audited on priority or not. This approach enables them to focus their efforts only on high-risk entities, instead of all entities at once.
- Complete audit visibility
The solution is equipped with powerful reports and dashboards that consolidate audit findings and status reports in real time, providing a comprehensive and in-depth view into the audit process, and enabling auditors to make data-driven decisions.
- Minimized recurrence of audit issues
Every audit issue that arises is routed through a streamlined and collaborative process of investigation, analysis, and remediation. Automated alerts, notifications, and escalations help ensure that this process is completed effectively, and that the possibility of the issue recurring is minimized.